Every mail server administrator dreads his or her server becoming compromised by spammers. A lot of effort, time and even money is spent on securing mail servers and making sure that the servers do not become open relay.

To combat against spambots in an SMTP server, Postfix in general uses the mynetworks parameter to specify the trusted sender network i.e., LAN. In a typical scenario, the users stationed in the internal LAN are legitimate users, and Postfix will happily accept SMTP requests from them, and forward the emails towards destination. Although this used to be the standard practice in the past, today's users want mobility. Everyone wants to be able to send/receive emails in their phones/tablets/laptops at work, home, on the go, or even from their favorite coffee shop around the corner. For people who are in the fields for critical services, a simple email alert could save a lot of time, effort and money.

To cope up with the mobility need, Postfix started to support another method of validating users. Simple Authentication and Security Layer (SASL) is a framework that can be used by many connection-oriented Internet protocols for securing data, servers and users. With SASL enabled, Postfix will not accept any incoming SMTP connections without proper authentication. As smart spammer can imitate a legitimate email account, no SMTP from even internal users are accepted without authentication.

This tutorial will focus on setting up a Postfix SMTP server to use Dovecot SASL for user authentication. As Dovecot provides mechanisms for user authentication, Postfix will simply ask Dovecot to do the work for it. That way, there is no need to re-invent the wheel.

Based on the requirements, permit_mynetworks can be allowed or denied later on.

To sum up, SASL can provide additional security to a mail server by enforcing mandatory authentication to users for SMTP requests. As users may use a mail server from anywhere, SASL can meet with the security requirements that do not conflict with the mobility of users.

Hope this helps.

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

Sarmed Rahman is an IT professional based in Australia. He writes tutorial articles on technology every now and then from a belief that knowledge grows through sharing. During his free time, he loves gaming and spending time with his friends.

4 thoughts on “How to enable user authentication for a Postfix SMTP server with SASL”

I got a problem a few days back. Some mobile devices (Galaxy Note2 / others) do not support STARTTLS. But my mobile had STARTTLS option. Later I had to tune the settings and the option set to None in Security Type.

Thanks for the clear instructions. I was able to apply these steps to a VirtualMin fresh install and found that I only had to change the path when creating the certificates. From /etc/ssl/... to /etc/pki/tls/...

Thanks for including the Thunderbird setup image at the end. TB auto detected the same values.